Cisco Systems is warning of a high-severity flaw affecting more than a half-dozen of its small business switches. The flaw could allow remote, unauthenticated attackers to access the switches’ management interfaces with administrative privileges.
Specifically affected are Series Smart Switches, Series Managed Switches and Series Stackable Managed Switches. Cisco said it was unaware of active exploitation of the vulnerabilities. Software updates remediating the flaws are available for some of the affected switches, however, others have reached end of life (EOL) and will not receive a patch.
The flaw (CVE-2020-3297), which ranks 8.1 out of 10.0 on the CVSS scale, stems from use of weak entropy generation for session identifier values, a Wednesday Cisco security advisory said.
“An attacker could exploit this vulnerability to determine a current session identifier through brute force and reuse that session identifier to take over an ongoing session,” according to Cisco’s advisory.
In this way, an attacker can defeat authentication protections for the devices and obtain the privileges of the highjacked session account. If the victim is an administrative user, the attacker could gain administrative privileges on the device.
Specifically affected by the issue are: Cisco 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches, Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches.
Cisco has fixed the issue in firmware release 220.127.116.11. This update will apply to the 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches.
However, Cisco said, the Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches and Small Business 500 Series Stackable Managed Switches have passed the end-of-software-maintenance milestone.
“Although these switches are vulnerable, Cisco will not provide a firmware fix,” said the company.
Cisco on Wednesday also released patches for a slew of medium-severity flaws, including ones in its small business RV042 and RV-042G routers, its Digital Network Architecture Center, its identity services engine, its Unified Customer Voice Portal, Unified Communications products and AnyConnect Security Mobility Client.
Earlier in June, the networking giant also stomped out three high-severity flaws in its popular Webex web conferencing app, including one that could allow an unauthenticated attacker to remotely execute code on impacted systems.
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to registerfor this Threatpost webinar, sponsored by Valimail.